Summary
| Report Number: | 2010-025 |
|---|---|
| Report Title: | Agency for Health Care Administration - Florida Medicaid Management Information System and Decision Support System - Information Technology Operational Audit |
| Report Period: | 10/2008 - 04/2009 |
| Release Date: | 10/09/2009 |
Sections 409.901(2) and (15), Florida Statutes, designate the Agency for Health Care Administration (Agency) as the single State agency that administers or supervises the administration of the State Medicaid plan under Federal law. Electronic Data Systems (EDS) became the Medicaid fiscal agent on June 26, 2008, and developed and operates the Florida Medicaid Management Information System (FMMIS) and Decision Support System (DSS). FMMIS is used to enroll providers, process Medicaid claims, adjudicate claims, accept and process encounter claims for data collection, and reimburse providers. FMMIS data is imported into DSS to enable efficient reporting and data analysis. The Medicaid Program is highly dependent on the security, integrity, and proper functioning of FMMIS and DSS.
Our audit focused on evaluating the effectiveness of selected Information Technology (IT) controls applicable to FMMIS and DSS during the period October 2008 through April 2009 and selected actions through June 2009. Our audit disclosed numerous instances where FMMIS and DSS IT controls were deficient or needed improvement. These control issues limit the Agency's assurance of the security and reliability of Medicaid Program data and the Agency's accountability over the Medicaid Program. Our findings are summarized below:
Finding No. 1: The Agency and EDS lacked appropriate access control documentation to demonstrate the business justification for access privileges granted within FMMIS, DSS, and the related software.
Finding No. 2: In some instances, system access privileges were inconsistent with employee or contractor job functions. In addition, neither the Agency nor EDS performed periodic reviews of the appropriateness of access privileges.
Finding No. 3: Some former contractor access privileges were not removed in a timely manner.
Finding No. 4: Generic user identifications (IDs) for database administration were being shared by contractor staff.
Finding No. 5: Certain access controls were deficient in the areas of user authentication, session controls, and logging of system activity.
Finding No. 6: Program and data change controls for FMMIS and DSS needed improvement.
Finding No. 7: Agency reconciliation documentation of FFMIS data with DSS data was incomplete and contained discrepancies, limiting the Agency's ability to demonstrate the accuracy and completeness of DSS data.
Management's response is included in the audit report as Exhibit A.